Revenge of Mars!

[IainMcNeil]

It's been another long night and hard day with further sustained malicious attacks on the Slitherine server. We had to take the site offline to protect it and repair the damage and after many hours we're now back online.

The latest attack was completely different to the initial one and affected the server in a different way. While the changes we made did not stop the attack, this time we were able to trace how they got in and added extra protection to ensure this cannot happen again. In addition we were able to trace the IP address where the attack originated which is a huge step forwards in tracking down who did this.

As a result of the latest attack we have unfortunately lost some more data. This means any multiplayer turns played on the 8th March will be lost and games will revert to their state on the 7th March. We have also lost forum posts from the 8th March. The PBEM system is not fully online yet but we will have it back up in the next couple of hours.

We'd like to apologise again for any inconvenience. Thanks for your continued patience and support.

[VPaulus]

Go get them!

[GrudgeBringer]

Good Job Guys....Hang em by their, well ya know what I mean.

From what I am gathering, we can (and I did get on the regular forum), but I might be the first one on there. I still can't get my password to get into games but I t DOES work here and the Forum. Hope that helps some.

[enric]

Maybe it's a stupid question, but who will be interested in doing this?, and why?,

[peterrjohnston]

Iain, do you recommend changing passwords? No idea how far in they got.

[IainMcNeil]

No need to change passwords - all passwords are stored hashed which means there is no way to work them out.

[shadowdragon]

Maybe it's a stupid question, but who will be interested in doing this?, and why?,

It's not a stupid question at all. Unfortunately it's not one that's being asked enough (i.e. who asks about security when buying their new mobile phone/tablet?); and many companies hide the fact that they've been a victim (i.e., don't want to lose customer confidence - full credit to slitherine for being up front on this).

Here's a wiki link to a list of the some things that have been going on:

http://en.wikipedia.org/wiki/List_of_cy ... eat_trends

You can google each one of the items listed and get more info, but one thing that you can be sure of is that the cyber threat world has moved waaaay beyond the geek in his basement/bedroom/garage doing a little bit of hacking.

[Arcticthunder]

No need to change passwords - all passwords are stored hashed which means there is no way to work them out.

That's only true as long as they are salted, i.e randomness added when they are hashed. This is one oversight many hacked companies have made and embarrassed publicly by Anonymous and LulzSec over the past two years. These companies were naive enough to not add any randomness to the hashed passwords.

Without randomness, it means the same passwords were hashed to the exact same value. So hackers just correlated those with the most popular passwords like Password1 and could make a pretty good guess what the passwords are.

So please double check that the passwords are salted, aka SSHA (secure salted hashing algorithm).

[Gersen]

Maybe it's a stupid question, but who will be interested in doing this?, and why?,

It's not a stupid question at all. Unfortunately it's not one that's being asked enough (i.e. who asks about security when buying their new mobile phone/tablet?); and many companies hide the fact that they've been a victim (i.e., don't want to lose customer confidence - full credit to slitherine for being up front on this).

Here's a wiki link to a list of the some things that have been going on:

http://en.wikipedia.org/wiki/List_of_cy ... eat_trends

You can google each one of the items listed and get more info, but one thing that you can be sure of is that the cyber threat world has moved waaaay beyond the geek in his basement/bedroom/garage doing a little bit of hacking.

But "why"? I don't get it. I understand motives behind crippling large corporations, Govt websites etc. But a wargaming hobby site?

[enric]

I think there are two main ways to try to understand reason behind this: profit or hate.
Profit. What economical profit could be obtained attaching a wargaming hobby site?, well maybe getting the VISAS of customers. but has really Slitherine this info? or is the PayPal or similar who keeps it?. Or the profit will come from avoiding Slitherine grown?.

Hate attack, because they feel Slitherine is joining the iPad side and they hate the iPad, sound stupid, no?.
Someone who has been fired, or a developer who feels rejected for a non accepted game for distribution?.

Two consecutive attacks are too much to be just hooliganism.

[timmy1]

Check where Phil Barker was when the two attacks occurred...

[shadowdragon]

Maybe it's a stupid question, but who will be interested in doing this?, and why?,

It's not a stupid question at all. Unfortunately it's not one that's being asked enough (i.e. who asks about security when buying their new mobile phone/tablet?); and many companies hide the fact that they've been a victim (i.e., don't want to lose customer confidence - full credit to slitherine for being up front on this).

Here's a wiki link to a list of the some things that have been going on:

http://en.wikipedia.org/wiki/List_of_cy ... eat_trends

You can google each one of the items listed and get more info, but one thing that you can be sure of is that the cyber threat world has moved waaaay beyond the geek in his basement/bedroom/garage doing a little bit of hacking.

But "why"? I don't get it. I understand motives behind crippling large corporations, Govt websites etc. But a wargaming hobby site?

As mentioned above there's two main reasons - profit (the primary one these days) and hate. I certainly can't speak to the specifics of this attack and probably slitherine shouldn't as it would be under investigation, but in the "profit camp" we have identity theft (not just credit card info, but addresses, names, passwords, etc. which could be amalgamated with info from other sites), testing capability, demonstrating capability, extortion, industrial espionage (stealing proprietary info), embedding malicious software in downloadable legitimate slitherine software, gaining access to servers (to gain control, gateway to more interesting systems), etc., etc. Remember you might only be seeing a piece of a larger game.

You might probably already know this, but, statistically, the odds are that your home computer is part of someone's bot-net (i.e., part of network of computers controlled by someone who would rent use of the network). Your anti-virus software probably won't detect the code since this type of code isn't as visible as the usual virus-type software.

Kudos to slitherine for acting responsibly and promptly, which means they seem to have excellent IT security awareness.

[hazelbark]

Check where Phil Barker was when the two attacks occurred...

He'sin the clear. Phil has yet to turn on the power switch to his slide rule. Computer. Don't be daft, you know they are a fad.